b"SEP 22 2000\n\n\nMEMORANDUM FOR:             BERNARD E. ANDERSON\n                            Assistant Secretary\n                             for Employment Standards\n\n                                /S/\nFROM:                       JOHN J. GETEK\n                            Assistant Inspector General\n                             for Audit\n\nSUBJECT:                    OFCCP Information System Security Needs Improvement\n                            Letter Report No. 09-00-005-04-001\n\nDuring a Region IX computer security controls review, we noted several weaknesses that\nrequire Office of Federal Contract Compliance Programs (OFCCP) headquarters action to\ncorrect. We met with OFCCP officials on July 19, 2000, to discuss these weaknesses and the\ncorrective actions identified in this letter report. On September 18, 2000, OFCCP provided\ncomments on a draft report. These comments are summarized in this report and attached in\ntheir entirety as Attachment A.\n\nSpecifically, we are recommending that the OFCCP Information System (OFIS) headquarters\npersonnel (1) assign security responsibility, (2) develop security plans, and (3) properly\nreauthorize application processing. OFCCP generally agreed with the recommendations and\nstated that corrective actions either had or would be taken. Additionally, we are issuing a\nseparate letter report to the regional director recommending specific action to correct\nweaknesses within the regional director\xe2\x80\x99s purview.\n\nIntroduction and Background\n\nThe OFCCP administers laws and regulations that prohibit discrimination by Federal\ncontractors and subcontractors. To assist in accomplishing this mission, OFCCP developed\ntwo information systems: (1) the Case Management System (CMS) and (2) the Executive\nManagement System (EIS). Specifically, the CMS is used to measure program performance.\nCMS is a data entry and reporting tool that provides a display of data concerning the\n\x0cprocessing of both compliance reviews and complaints. The EIS allows users and managers to\naccess data that track the accomplishments of individual organizational units.\n\nFor security purposes, the CMS and the EIS are considered to be a single processing\napplication referred to as the OFIS. The security of the OFIS is governed by OMB Circular\nA-130. This Circular was issued to provide uniform governmentwide information resources\nmanagement policies as required by the Paperwork Reduction Act of 1980.\n\nObjective, Scope, and Methodology\n\nOur audit objective was to determine whether OFIS Region IX has adequate and effective\nmanagement, operational, and technical security controls in place to prevent unauthorized\ndisclosure or modification of sensitive data, or disruption of critical services of its information\nsystems.\n\nBased on the results of our work at Region IX, we expanded our scope to include certain\ncomputer security controls at OFCCP headquarters that impacted Region IX security\ncontrols. Our review was limited to general controls, including security plan development,\nrisk assessment and contingency planning. This report covers only the issues that are the\nresponsibility of OFCCP headquarters.\n\nWe interviewed OFCCP headquarters, Region IX and contractor personnel who were\ninvolved in operating and using the information systems. We also obtained and reviewed (1)\navailable security documents from the Office of the Chief Information Officer, (2) training\nfiles for OFCCP headquarters and Region IX personnel and (3) security documentation in the\nOFCCP Region IX and headquarters offices.\n\nThe principal criteria used during our audit were:\n\n   C   OMB Circular A-130: Management of Federal Information Resources.\n\n   C   Federal Information System Controls Audit Manual (FISCAM), (GAO/AIM-12.19.6).\n\n   C   National Institute of Standards and Technology (NIST) Special Publications:\n\n       C   An Introduction to Computer Security: The NIST Handbook, NIST Special\n           Publication 800-12.\n\n       C   Generally Accepted Principles and Practices for Securing Information Technology\n           Systems , NIST Special Publication 800-14.\n\n\n\n                                                -2-\n\x0c       C   Guideline for Developing Security Plans for Information Technology Systems ,\n           NIST Special Publication 800-18.\n\nWe conducted our fieldwork from January 10, 2000, through June 23, 2000. We held an exit\nconference with OFCCP headquarters on July 19, 2000. At that meeting, we discussed our\nfindings and recommendations. We have incorporated OFCCP comments into this letter\nreport.\n\nWe performed our work in accordance with Government Auditing Standards issued by the\nComptroller General of the United States. Our audit included such tests of policies and\nprocedures and other auditing procedures we considered necessary in the circumstances.\n\nAudit Results\n\nOFCCP Needs to Improve Security Program for OFCCP Critical Systems\n\nOFCCP needs to improve its security program for the OFIS to better protect the agency\xe2\x80\x99s\ncritical systems. OFCCP has not assigned security responsibility, developed security plans\nfor its major application or properly reauthorized application processing, as outlined in OMB\nCircular A-130. Although OFCCP headquarters officials told us some effort has been applied\nto these areas, they did not provide documentation to support the level of effort claimed.\nA systematically and comprehensively planned adequate, cost-effective security program for\nthe OFIS is necessary to protect OFCCP sensitive mission data from vulnerability.\n\nOMB Circular A-130 requires several basic attributes as fundamental for providing adequate\nsecurity for the application. Specifically, Appendix III of OMB A-130 requires, as a\nminimum, agency security programs for major applications to include assigning security\nresponsibility, developing a security plan, reviewing security periodically, and reauthorizing\napplication processing.\n\nOFCCP has not complied with these requirements. Specifically, the OFCCP has not:\n\n! Assigned OFIS system security to a management official knowledgeable about the\n  system, its use, and the personnel involved.\n\n! Developed a security plan for the OFIS covering such features as application rules,\n  specialized training, personnel security, contingency planning, technical controls,\n  information sharing, and public access controls.\n\n! Performed a review of the security controls in the OFIS at least every 3 years.\n\n\n\n                                              -3-\n\x0cOur review of the OFIS documentation and interviews with OFCCP employees involved in\noperating the systems identified:\n\n! No employee was able to define their individual responsibilities over system security.\n\n\n\n\n                                             -4-\n\x0c! No employee using the OFIS systems had received any security awareness training.\n\n! No contingency plan had been documented for backup planning or disaster recovery.\n\nBecause of these weaknesses, employees or contractors may be violating security standards\nand not be aware of it. In Region IX, for example, we found that a contractor was storing\nbackup tapes of OFCCP sensitive data at a personal residence. Neither the contractor nor\nOFCCP personnel realized the security breach this posed. If behavior rules had been\ndeveloped, and security training provided, this might not have occurred. To ensure\nappropriate system security, OFCCP should develop a security program for the OFIS that\nincorporates all control requirements in OMB Circular A-130, Appendix III.\n\nAccording to OFCCP officials, they have begun work on an extensive security program which\nwill correct the weaknesses noted.\n\nRecommendations\n\nWe recommend the Assistant Secretary for Employment Standards ensure OFCCP officials:\n\n1. Assign OFIS security responsibility to an OFCCP management official in accordance with\n   OMB Circular A-130.\n\n2. Require OFCCP users of the OFIS to obtain security training.\n\n3. Complete the security program development for the OFIS.\n\nESA Comments on Draft Report\n\nOn September 18, 2000, ESA provided written comments on the draft report. The comments\nare included in their entirety in Attachment A. In response to the finding and recommendation\nESA stated:\n\n       At the time the audit was conducted, OFCCP had not completed its security risk\n       assessment, nor had it completed a System Security Plan for OFIS. Both of these\n       activities were under way and were completed in August. Since their completion,\n       both the OFIS Vulnerability Assessment Report and System Security Plan (SSP)\n       have been submitted to the Office of the Chief Information Officer and the OIG.\n\n       As part of the development of the OFIS SSP, OFCCP management designated a\n       Program Security Officer, in writing, who is responsible for the security of OFCCP\n       information systems.\n\n                                              -5-\n\x0cESA also agreed to provide security training and stated:\n\n       OFCCP concurs with the OIG finding that training regarding desktop security was\n       not provided for the CMS and EIS systems. OFCCP is not responsible for such\n       training. The ESA Division of Information Technology Management and Services\n       (DITMS), which is responsible for the entire infrastructure on which OFCCP\n       systems operate, is in the process of developing an ESA-wide Computer Security\n       Awareness Training Programs to be implemented in FY 2001.\n\nESA did not agree that a security breach involving storage of back-up tapes at a personal\nresidence applied to OFCCP and requested that we change the audit report.\n\nOIG Evaluation of the OFCCP Comments\n\nESA's response to the first recommendation to designate an OFCCP management official\nresponsible for OFIS security is sufficient to resolve and close this recommendation.\n\nESA's response to the second recommendation resolves the recommendation but we will keep\nthe recommendation open until the ESA-wide Computer Security Awareness Training\nProgram is developed and implemented.\n\nRegarding the security breach, while we confirmed that the back-up tapes being stored at a\npersonal residence do not contain OFIS operational data, they do contain OFCCP user\nidentification and password information which we believe is sensitive and should not be stored\nat a personal residence of an ESA contractor. Therefore, we did not change the report.\n\nWe request a response to this report within 60 days. If you have any questions regarding this\nreport, please contact Linda G. Darby, Regional Inspector General for Audit, at (415) 975-\n4030.\n\nAttachment\n\n\n\n\n                                              -6-\n\x0c          Attachment A\n\nOFCCP Comments on the Draft Report\n\x0c"